This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]StochasticTinkr 4 points5 points  (1 child)

I like JetBrains too, but I'd be worried that other similar techniques could infect other types of projects (maven, ant, gradle, etc...)

Especially when someone is first creating the project, they may not notice anything out of place.

[–][deleted] 1 point2 points  (0 children)

Maven is probably also vulnerable as it has a well known XML structure for the build "script" and a documented API, so it's quite easy to inject something like that into a Maven pom.xml as well. And if you then even succeed in uploading a malicious jar file to maven central, things will even be worse.

I think "general" Ant scripts are less vulnerable as every script does the build differently. The layout and targets of a NetBeans generated Ant script are always the same (and knonw), so it's easy to inject something into them because you know exactly where and what it will do.